Why a security team embraces shadow IT
- 18 August, 2016 21:00
When you hear the phrase "getting ahead of shadow IT," it typically comes from a CIO who is implementing new technologies so that employs won’t take it upon themselves to purchase tools. But you don't expect such proactive practices from an enterprise's information security team, which a CIO often enlists to place a moat around corporate assets.
Mike Bartholomy takes a different tack at Western Union. The financial services firm's senior manager for information security says that companies that try to block everything may see it backfire. "What we've seen happen in other organizations is that when you take something away that is a great enablement tool that may be moderately risky, you run the risk of pushing users towards something that is very risky," Bartholomy says.
Shadow IT continues to plague companies. Over the next several years IT spending will increasingly occur outside the allotted IT budget, often exceeding 30 percent of total IT spending, according to Gartner analyst Matt Cain. The analyst says that rather than blocking shadow IT, IT should develop a system that outlines when it is appropriate for employees to use their own technology solutions and when IT should take the lead. The idea is to create a digital workplace that aligns corporate workflow more closely to employees’ experiences with consumer computing.
Why aninfosec team implements cloud
Western Union has developed its own system to protect and serve its workforce. The Western Union information security enablement (WISE) program is designed to give its 10,000 employees the technologies it needs to get their jobs done while ensuring that corporate data is secure. Under the purview of CIO David Thompson, Bartholomy and the rest of the information security team enjoy the unusual privilege of evaluating and implementing cloud solutions. “Not too many information security organizations have integrated a social intranet and collaboration tool enterprise-wide,” Bartholomy says.
Those tools include Okta single sign-on software and enterprise social offerings from Jive Software. But its latest project, a corporate-wide roll-out of Box as the company’s new enterprise content management system, may be his most ambitious to date. New solutions tend to come with a steep learning curve, but Box isn’t your enterprise software of yore. Most employees, particularly millennials who grew up consuming web apps, find it intuitive and easy to use from their desktops and mobile devices. To be safe, Bartholomy worked with Box to create videos tutorials and virtual training sessions to help acclimate employees to the technology.
Employees in human resources, legal, compliance, IT and other departments are increasingly using the cloud software to share and synchronize files across desktops and mobile devices. Bartholomy sees the implementation of Box, as well as tools such as Okta and Jive as necessary.
Some 60 percent of Western Union employees are millennials who fit the mold of individuals who will find the tools they need to perform their work most efficiently. By providing access to Box, Bartholomy says he is helping IT avoid the risk. "If you don't have an enterprise solution in a space, and you try to block everything, people will find a way," to consume the technologies they need, Bartholomy says. "Security is taking a seat at the table and trying to drive innovation through these projects."
Box competes in a broad market with Microsoft, Dropbox, Google and dozens of other vendors. Bartholomy says Box’ adherence to PCI, the payment card protocol, was a big selling point in the deal. Also crucial was Box’ automated retention capabilities, a big improvement over the company’s traditional approach of manually classifying records as those that can be shared externally versus kept in-house. Another reason: Box’ APIs integrate well with Okta, Jive and other cloud tools.
Now Bartholomy is trying to phase out the large pockets of existing file-synch technologies, including LAN-sharing and SharePoint sites. He says Western Union has a multi-year roadmap with which to migrate data to Box from those legacy tools. Ultimately, he expects Box to become the company’s de facto enterprise content management system.
Tracking unsanctioned cloud apps
Despite Western Union's proactive approach to enable end-user computing, shadow IT remains a concern for the company. Although it does not plan to block all unsanctioned software, it knows exactly what is being used at all times with the help of Skyhigh Networks, a cloud security platform companies license to track what SaaS tools employees are consuming as well as how much data they are generating. Bartholomy won't name how many cloud apps employees are using but noted the number is high. “It’s eye opening but also very valuable,” he says.
Bartholomy says the end-user technology unit also works with the broader IT unit on corporate technology strategy, including implementing other cloud solutions, such as Workday. While the company consumes a lot of cloud software for a financial services firm, it doesn’t adopt cloud casually. Like any other vendor Western Union works with, SaaS providers go through a risk assessment process to ensure that they meet the company’s rigorous security standards.
"Because we are in a financial services organization, compliance is a big part of what we do so making sure that those vendors are doing all of the right things to make sure that we feel good about using them,” Bartholomy says.